Nemcio/NodeBB
1
0
Fork 0
mirror of https://github.com/NodeBB/NodeBB.git synced 2025-10-30 02:25:55 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix: #8156 dont allow loading members from hidden groups

Browse Source
This commit is contained in:
Barış Soner Uşaklı
2020-02-10 13:20:10 -05:00
parent 03a02e5d1d
commit f23bc347b1
2 changed files with 17 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
src/socket.io/groups.js
View File

@@ -342,6 +342,18 @@ SocketGroups.loadMoreMembers = async (socket, data) => {
if (!data.groupName || !utils.isNumber(data.after) || parseInt(data.after, 10) < 0) {
throw new Error('[[error:invalid-data]]');
}
const [isHidden, isAdmin, isGlobalMod] = await Promise.all([
groups.isHidden(data.groupName),
user.isAdministrator(socket.uid),
user.isGlobalModerator(socket.uid),
]);
if (isHidden && !isAdmin && !isGlobalMod) {
const isMember = await groups.isMember(socket.uid, data.groupName);
if (!isMember) {
throw new Error('[[error:no-privileges]]');
}
}
data.after = parseInt(data.after, 10);
const users = await user.getUsersFromSet('group:' + data.groupName + ':members', socket.uid, data.after, data.after + 9);
return {